This is an automated email from the ASF dual-hosted git repository.
thiagoelg pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git
The following commit(s) were added to refs/heads/main by this push:
new 4fafa748fa6 [NO-ISSUE] Update tomcat-embed-core, angus-mail and other
deps. (#3313)
4fafa748fa6 is described below
commit 4fafa748fa6874bb9340c0d9920b5c41a833d2b2
Author: Tibor Zimányi <[email protected]>
AuthorDate: Thu Oct 23 15:29:21 2025 +0200
[NO-ISSUE] Update tomcat-embed-core, angus-mail and other deps. (#3313)
---
packages/dev-deployment-quarkus-blank-app/pom.xml | 20 ++++++++++++++++++++
packages/dev-deployment-upload-service/main.go | 9 +++++----
packages/maven-base/pom.xml | 8 ++++++++
3 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/packages/dev-deployment-quarkus-blank-app/pom.xml
b/packages/dev-deployment-quarkus-blank-app/pom.xml
index 05e5cbab00e..297f71cfa63 100644
--- a/packages/dev-deployment-quarkus-blank-app/pom.xml
+++ b/packages/dev-deployment-quarkus-blank-app/pom.xml
@@ -61,10 +61,30 @@
<version.commons-io>2.16.1</version.commons-io>
<version.com.google.protobuf>3.25.5</version.com.google.protobuf>
<version.io.netty>4.1.127.Final</version.io.netty>
+
+ <!-- These versions are overrides for transitive dependencies, to fix
security vulnerabilities.
+ They need to be checked with Quarkus and Spring Boot upgrades and
eventually removed, if they are not needed anymore. -->
+ <version.angus.mail>2.0.5</version.angus.mail>
+ <version.nimbus.jose.jwt>9.37.4</version.nimbus.jose.jwt>
+ <!-- End of various transitive overrides. -->
</properties>
<dependencyManagement>
<dependencies>
+ <!-- These versions are overrides for transitive dependencies, to fix
security vulnerabilities.
+ They need to be checked with Quarkus and Spring Boot upgrades and
eventually removed, if they are not needed anymore. -->
+ <dependency>
+ <groupId>org.eclipse.angus</groupId>
+ <artifactId>angus-mail</artifactId>
+ <version>${version.angus.mail}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>nimbus-jose-jwt</artifactId>
+ <version>${version.nimbus.jose.jwt}</version>
+ </dependency>
+ <!-- End of various transitive overrides. -->
+
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-bom</artifactId>
diff --git a/packages/dev-deployment-upload-service/main.go
b/packages/dev-deployment-upload-service/main.go
index ef7bac20cc7..c09cdc07a58 100644
--- a/packages/dev-deployment-upload-service/main.go
+++ b/packages/dev-deployment-upload-service/main.go
@@ -25,6 +25,7 @@ import (
"context"
"fmt"
"html"
+ "io"
"io/ioutil"
"net/http"
"os"
@@ -87,7 +88,7 @@ func main() {
// Validate --unzip-at
if _, err := os.Stat(unzipAtArgString); err == nil {
fmt.Fprintf(os.Stdout, LOG_PREFIX+"✅ Found directory '%s'.\n",
unzipAtArgString)
- } else if err := os.MkdirAll(unzipAtArgString, os.ModePerm); err != nil
{ // os.ModePerm == chmod 777
+ } else if err := os.MkdirAll(filepath.Clean(unzipAtArgString),
os.ModePerm); err != nil { // os.ModePerm == chmod 777
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌ ERROR: Creating directory
'%s' failed:\n", unzipAtArgString)
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌ ERROR: %+v\n", err)
os.Exit(1)
@@ -223,7 +224,7 @@ func main() {
}
// Always try and write the dirs where the files are
going to be written to.
- if err :=
os.MkdirAll(filepath.Dir(extractedZippedFilePath), os.ModePerm); err != nil {
// os.ModePerm == chmod 777
+ if err :=
os.MkdirAll(filepath.Dir(filepath.Clean(extractedZippedFilePath)),
os.ModePerm); err != nil { // os.ModePerm == chmod 777
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌ ERROR:
Creating directory '%s' failed:\n", filepath.Dir(extractedZippedFilePath))
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌ ERROR:
%+v\n", err)
w.WriteHeader(http.StatusInternalServerError)
@@ -235,7 +236,7 @@ func main() {
// Only write the file if it's not a dir
if !zipFile.FileInfo().IsDir() {
- f, err := os.Create(extractedZippedFilePath)
+ f, err :=
os.Create(filepath.Clean(extractedZippedFilePath))
if err != nil {
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌
ERROR: Creating file '%s' failed:\n", extractedZippedFilePath)
fmt.Fprintf(os.Stderr, LOG_PREFIX+"❌
ERROR: %+v\n", err)
@@ -316,7 +317,7 @@ func readZipFile(zf *zip.File) ([]byte, error) {
}
defer f.Close()
- return ioutil.ReadAll(f)
+ return io.ReadAll(f)
}
func printUsage() {
diff --git a/packages/maven-base/pom.xml b/packages/maven-base/pom.xml
index 1beba7634a9..bf7b291ae60 100644
--- a/packages/maven-base/pom.xml
+++ b/packages/maven-base/pom.xml
@@ -138,6 +138,14 @@
<version.org.mockito>4.11.0</version.org.mockito>
<version.org.kie.j2cl.tools.yaml.mapper>0.4</version.org.kie.j2cl.tools.yaml.mapper>
<version.io.netty>4.1.127.Final</version.io.netty>
+
+ <!-- These versions are overrides for transitive dependencies, to fix
security vulnerabilities.
+ They need to be checked with Quarkus and Spring Boot upgrades and
eventually removed, if they are not needed anymore. -->
+ <version.tomcat.embed.core>10.1.48</version.tomcat.embed.core>
+ <version.apache.commons.lang3>3.18.0</version.apache.commons.lang3>
+ <version.angus.mail>2.0.5</version.angus.mail>
+ <version.nimbus.jose.jwt>9.37.4</version.nimbus.jose.jwt>
+ <!-- End of various transitive overrides. -->
</properties>
<dependencyManagement>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
